I. Introduction

In the last article in our two-part compliance series , we discussed the decision of the Nuremberg Higher Regional Court on the liability of the managing director under § 43 para. 2 German Act on Limited Liability Companies (Gesetz betreffend die Gesellschaften mit beschränkter Haftung – GmbHG) due to missing or insufficient compliance management systems. This article subsequently deals first with further civil and criminal law risks for managing directors and board members and then with the consequences of non-compliance from the company’s point of view. Due to the large number of conceivable liability situations, this article is not intended to be comprehensive. The aim is rather to sensitize the reader to the topic by means of a few selected relevant examples.

II. Liability risks for managing directors/board members

As already presented in the last newsletter, the managing director of a GmbH is liable for the damage resulting from the non-establishment or inadequate implementation of a compliance management system pursuant to § 43 para. 2 GmbHG. Equivalent to this is the liability of the management board of a stock corporation under § 93 para. 2 German Stock Corporation Act (Aktiengesetz – AktG) (for members of the supervisory board under §§ 116 para. 1 sentence 1, 93 para. 2 AktG). The standard of fault is the ordinary care of a business manager, § 93 para. 1 AktG, whereby the management board benefits from the so-called Business Judgement Rule, § 93 para. 1 p. 2 AktG, as a liability privilege. However, managing directors not only have to fear liability under civil law, they also bear personal responsibility for the fulfillment of all tax obligations of the company, §§ 34 I and 69 German Fiscal Code (Abgabenordnung – AO).
Furthermore, compliance violations are also subject to fines of up to EUR 10 million, §§ 9, 30, 130 German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – OWiG). However, since §130 OWiG is relevant as a connecting act for the company’s liability, this legal basis will be explained in more detail under III.
Supervisor liability (as for example in § 4 German German Code of Crimes against International Law (Völkerstrafgesetzbuch – VSTGB)) is not provided for in the liability system of the German Criminal Code (Strafgesetzbuch – StGB). In addition to the commission of own criminal acts, e.g. non-payment of social security contributions, §§ 266a, 14 StGB, breach of trust § 266 StGB, bribery and corruption in business transactions, § 299 StGB or subsidy fraud, § 264 StGB, criminal liability in the compliance context is particularly conceivable on the basis of indirect perpetration, § 25 para. 1 alt. 2 StGB, by instructions to engage in illegal conduct or pursuant to § 13 StGB. The guarantor status required for the assumption of criminal liability for failure to act pursuant to § 13 StGB exists only with regard to the prevention of company-related criminal acts. In the case of criminal acts that have no internal connection with the company’s operations, in particular acts that the employee merely commits on the occasion of his or her work at the company, there is no guarantor status under criminal law.
The impact of the Business Judgement Rule under civil law (§ 93 para. 1 sentence 2 AktG) is also interesting in this context. According to the case law of the Federal Court of Justice (BGH), the application of the crime of breach of trust is to be limited to “clear and distinct cases of actions in breach of duty; serious breaches of duty can only be affirmed if the breach of duty is evident”. According to the case law of the BGH, a violation of § 93 para. 1 sentence 1 AktG always also constitutes a serious breach of duty within the meaning of § 266 StGB, while compliance with the Business Judgement Rule (§ 93 para. 1 sentence 2 AktG) excludes a breach of duty under § 266 StGB.

III. Non-compliance from a company perspective

From a company’s point of view, a lack of or inadequate compliance can have an impact in a wide variety of areas, e.g. tax law (Steuerrecht), public procurement law (Vergaberecht), employment law (Arbeitsrecht) or antitrust law (Kartellrecht). Since a comprehensive presentation of all areas would exceed the scope of this article, the topic will be presented on the basis of the examples of the OWiG, supply chain law and data protection.

1. Fines under the OWiG

Pursuant to § 30 OWiG, a fine of up to EUR 10 million can be imposed on the company for breaches of duty committed by its executive bodies. The basis for the breach of duty committed may be, for example, a breach by the management board under capital market law of § 40 para. 1 sentence 1 German Securities Trading Act (Gesetz über den Wertpapierhandel– WpHG) (notification obligation of the issuer (Mitteilungspflicht des Emittenten)). The company is generally liable for this, § 30 I no. 1 OWiG. § 30 OWiG represents a breach of the principle that a company cannot commit a wrong (societas delinquere non potest) and standardizes the possibility of a direct corporate sanction.
§ 30 OWiG is “only” an attribution norm, which is why a so-called connecting act is always required. A connecting act within the meaning of § 30 OWiG can be any administrative offense or criminal act. Particularly relevant in this context is § 130 OWiG (violation of supervisory duties in companies and enterprises) as a connecting act.
In the objective facts, § 130 (in conjunction with § 9) OWiG presupposes an omission of those supervisory measures that are necessary and reasonable in order to counter the risk of violations of operational and company-related duties. Since the law only provides for concrete requirements in a few cases (e.g. §§ 25 a German Banking Act (Gesetz über das Kreditwesen – KWG), 33 WpHG, 9, 9a German Money Laundering Act (Geldwäschegesetz – GWG, …), the only orientation for most companies is the systematization made in the literature and the concretization by case law. The literature divides the bundle of duties of the supervisor into the following five levels: careful selection of employees and, if necessary, supervisors (1st level), proper organization and allocation of duties (2nd level), appropriate instruction and information of employees about their tasks and duties (3rd level), sufficient supervision and control of employees (4th level), intervention against violations (5th level).
However, the nature and scope of the five levels of supervisory duty just presented are concretized by case law. Accordingly, the scope is determined in particular by “the type, size and organization of the business, the different monitoring possibilities, but also the variety and importance of the regulations to be observed and the susceptibility of the business to violations of these regulations, whereby in particular such errors may play a role that have already been made in the past”. It becomes clear that a generalization of the required supervisory measures is prohibited and that a case-by-case consideration is always required. In principle, however, only those supervisory measures can be required that are also suitable for preventing company-related violations (suitability principle). The business owner may make a choice between several possible measures and decide on the mildest (suitable and equally effective) means of supervision (principle of the mildest means (Grundsatz des mildesten Mittels)).
It is also possible to order the confiscation of the value of proceeds of crime pursuant to §§ 30 para. 5, 29a OWiG or, in the case of criminal offenses, pursuant to § 30 V OWiG in conjunction with §§ 73, 73c StGB. In this respect, the so-called gross principle (Bruttoprinzip) applies, i.e. in the case of a contract obtained through bribery, for example, only the production and labor costs can be deducted from the value of the contract, but not prohibited investments, e.g. bribes disguised as consultancy fees.

2. Compliance obligations under the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz)

In an earlier article, we already presented the main contents of the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz – LkSG), which will come into force on 1 January 2023. This also affects the compliance obligations of companies. According to § 1 para. 1 LkSG, initially only companies with at least 3,000 employees in Germany are covered by the scope of application, but from 1 January 2024 this limit will be lowered to 1,000 employees.
If the due diligence requirements are not met, companies may be subject to substantial fines under § 24 LkSG. In the case of legal entities or associations of persons with an average annual turnover of more than EUR 400 million, these violations can in some cases be punished with a fine of up to two percent of the average annual turnover. When assessing the fine, previous administrative offenses under § 30 OWiG (also in conjunction with § 130 OWiG) are to be taken into account as aggravating factors, among other things, § 24 para. 4 no. 6 LkSG. As an additional sanction, companies that have been fined for a legally established violation shall be excluded from participation in the award of a supply, construction or service contract of the contracting authority pursuant to §§ 99 and 100 German Competition Act (Gesetz gegen Wettbewerbsbeschränkungen – GWB) until proven self-purification pursuant to § 125 GWB (§ 22 LkSG).

3. Compliance and data protection

From a company’s perspective, a lack of compliance or insufficient compliance can also lead to significant fines in the area of data protection. It has not yet been clearly clarified whether Article 83 of the GDPR can give rise to direct liability of legal entities (according to the Bonn Regional Court and the prevailing opinion in the literature) or whether, due to the reference in § 41 German Data Protection Act (Bundesdatenschutzgesetz – BDSG), fines for data protection violations against legal entities are only possible under the conditions of § 30 para. 1 and 4 OWiG (according to the Berlin Regional Court). Corresponding questions were submitted to the ECJ for a preliminary ruling. However, it is clear that non-compliance with data protection regulations can lead to severe fines.

IV. Consequences for the practice

Companies should (also) make efforts to implement or review a compliance management system in their own interest. It is not possible to specify in detail which measures are required, as this is ultimately a case-by-case decision. In particular, the measures must be appropriate for a company of the corresponding size and industry (risk propensity) (see III). For smaller companies and start-ups in particular, however, this requirement of appropriateness often offers the opportunity to establish an appropriate compliance management system with relatively manageable but targeted measures. The implementation of an effective compliance management system can also reduce fines when imposing a corporate fine pursuant to § 30 OWiG. This even applies to actions that are only implemented as a result of the state investigation. It is therefore never too late to take compliance measures, although ideally, of course, preventive action should be taken.